Social Engineering

As per [1] it is an attack vector that relies heavily on human interaction and often involves
manipulating people into breaking normal security procedures and best practices in order to gain
access to systems, networks or physical locations, or for financial gain. Threat actors use social
engineering techniques to conceal their true identities and motives and present themselves as a
trusted individual or information source. The objective is to influence, manipulate or trick users
into giving up privileged information or access within an organization.
Types of social engineering attacks and popular types of social engineering attacks include[1][3]:
 Baiting
 Impersonation
 Phishing
 Spear phishing
 Vishing
 Pretexting
 Scareware
 Water-holing
 Diversion theft
 Quid pro quo
 Honey trap
 Tailgating
 Rogue

a real world, 'in the news' example of a social engineering attack.

Preventing social engineering

Security experts recommend that IT departments regularly carry out penetration testing that uses
social engineering techniques. This will help administrators learn which types of users pose the
most risk for specific types of attacks, while also identifying which employees require additional
training. Security awareness training can also go a long way toward preventing social
engineering attacks. If people know what forms social engineering attacks are likely to take, they
will be less likely to become victims. Verification is the key. A social engineer's goal is to fit in
with the crowd - to look like someone who should be there. They may be disguised as any
number of people who frequent your organization and, because they look like they belong, your
best defense is being alert and asking someone in authority if they should be there.[2]
On a smaller scale, organizations should have secure email and web gateways that scan emails
for malicious links and filter them out, thus reducing the likelihood that a staff member will click
on one. Staying up to date with software and firmware patches on endpoints is also important, as
is keeping track of staff members who handle sensitive information and enabling advanced
authentication measures for them.

Reference
[1] Rouse, Margaret. “What Is Cryptography? - Definition from WhatIs.com.” SearchSecurity, Sept.
2018, Retrieved on 24/01/2019 from www.searchsecurity.techtarget.com/definition/cryptography.
[2] What is Impersonation in Social Engineering? Retrieved on 24/01/2019 from
http://www.mysecurityawareness.com/article.php?article=384&title=what-is-impersonation-in-
social-engineering#.XJcQDShKjIU
[3] Social engineering (security) Retrieved on 24/01/2019 from
https://en.wikipedia.org/wiki/Social_engineering_(security)